Hey all. Trying to implement a row level security solution, where certain administrators only have access to employees in defined organizations (more complicated than that, but that's the gist). After much googling, I found no good solutions. If someone has suggestions, I'd me very appreciative. Failing that, I decided to try and write my own. I've got a couple ideas:

Idea 1:
Use the @PostLoad callback to check whether the loaded entity has permission to be loaded by the administrator in context.

The Explanation:
After loading an employee, the @PostLoad can do whatever logic I need to determine if the administrator in context (available through a ThreadLocal) has permissions to review the employee object which was just loaded.

The Problem:
Two problems really. I'd prefer to be able to null out the object if the user does not have access, but I can't null out an object from within that object. Also, this solution requires me to do the logic checks after the DB call, which I'd prefer to avoid for efficiency sake.


Idea 2:
Create a new annotation similar to @Where, indicating that the returned object should be subject to special criteria.

The Explanation:
I can create an @Where with a clause which should be included on all generated HQL queries retrieving that value (e.g. "is_active=1"). That seems like logically the location I'd like to add these row-level security clauses. Unfortunately I can't dynamically modify the content of that clause (e.g. to change it to "org_id=1" vs "org_id=2"). If I could emulate the @Where annotation I could extend it to allow for dynamically created clauses (I'd make these available through a threadlocal), and the problem is solved.

The Problem:
I can't tell ascertain where the Hibernate annotations are being processed, and if I found it not sure I could extend it. I could of course dupe it and inject a new class into the jar, but that is unsanitary and difficult to maintain- don't want to consider it.


I'd love any feedback. Thanks!